For digital health companies, NHS teams, and investors in the UK, the path from an innovative idea to a successfully adopted clinical tool is paved with complex regulatory and assurance requirements. Navigating the expectations of the NHS and the MHRA is no longer optional; it is the critical determinant of success. That is why today, we are proud to introduce insights by iatroX—a new clinical safety and strategy service designed to help you build and deploy digital health products that are safe, compliant, and ready for adoption.
Our advice is not just theoretical. It is pragmatic and evidence-led, informed by our real-world experience of building and scaling iatroX, our own MHRA-registered clinical AI platform, within this rigorous UK ecosystem. We help you meet the national entry standards, from the NHS Digital Technology Assessment Criteria (DTAC) to the DCB clinical safety framework (NHS Transformation Directorate).
Why insights exists: bridging safety, compliance and adoption
The UK has established a clear and non-negotiable baseline for any digital tool intended for use in the NHS.
- The NHS DTAC is the national entry bar for both buyers and suppliers. NHS buyers are expected to assess a product's DTAC conformance during procurement (NHS Transformation Directorate).
- Clinical risk management expectations are mandated through two key standards: DCB0129, which applies to manufacturers and developers, and DCB0160, which applies to the deploying healthcare organisation (NHS England Digital).
- The MHRA has a specific regulatory lens for software and AI. If your tool's intended purpose qualifies it as a medical device (SaMD), then UK regulations apply, covering its classification, technical documentation, and post-market obligations (GOV.UK).
NHS and MHRA at a glance
- DTAC: The baseline for procurement, covering clinical safety, data protection, security, interoperability, and usability. Learn more.
- DCB0129/0160: The mandatory NHS standards for clinical risk management in the manufacture and deployment of health IT. Learn more.
- MHRA SaMD Guidance: Helps you determine if your software is a medical device and what rules you must follow. Learn more.
What we do — and how each service works
Digital Clinical Safety Officer (CSO) services (DCB0129/0160)
- What: We provide named, accredited Digital Clinical Safety Officer services. We can author or review your clinical safety case, develop your hazard log, and help you establish a robust clinical risk management system from the ground up.
- Why it matters: Compliance with DCB0129 and DCB0160 is mandatory for health IT systems used in the NHS. These standards are the foundation of safe procurement and rollout, and require sign-off from a qualified CSO.
- How we work: We start with a discovery workshop to understand your product, then work with your team to identify hazards, define risk controls, and produce the full suite of safety documentation required for your assurance file. Explore our CSO services here.
DTAC and regulatory readiness
- What: We provide a DTAC gap-analysis, evidence collation, and remediation planning service, covering all five domains of the assessment.
- Why it matters: The NHS digital technology assessment is used by buyers at the point of procurement to gain confidence that a product meets minimum standards. Developers are expected to have a complete and credible DTAC evidence pack ready for NHS entry.
- How we work: We use a structured question set to review your product against the DTAC criteria, help you assemble the required evidence pack, and create a buyer-ready submission. Explore our DTAC services here.
Software/AI as a Medical Device (MHRA) guidance
- What: We help you determine your product's regulatory status, its likely classification, and the documentation pathway you need to follow. We align our advice with the latest MHRA SaMD/AI guidance and the UKCA marking regime.
- Why it matters: If your tool qualifies as a medical device, a specific set of legal and regulatory obligations applies, covering everything from your technical file to your post-market surveillance plan.
- How we work: We use the MHRA's own classification flowcharts to review your product, provide you with a documentation template pack, and help you build a proportionate and compliant post-market plan. Explore our SaMD/AIaMD services here.
Clinician validation and usability studies
- What: We can design and run opt-in surveys, moderated usability tests, and small-scale pilot deployments with clinicians from our engaged UK user community.
- Why it matters: Real-world feedback from credible users is essential for validating your product's usefulness, testing your safety mitigations, and identifying adoption barriers before a large-scale rollout.
- How we work: We work with you to design a study protocol, recruit appropriate (and voluntary) participants, analyse the findings, and produce a clear decision memo. All participation is voluntary and all data is anonymised and aggregated. Explore our validation services here.
Strategic & market-entry advisory
- What: We provide strategic advice on product positioning, your evidence generation strategy, integration pathways, procurement mapping, and building a credible economic narrative for NHS buyers.
- Why it matters: Having robust safety and compliance documentation is only half the battle. This must be translated into a compelling value proposition that gives NHS buyers the confidence to adopt.
- How we work: We use stakeholder interviews and market analysis to help you build a clear go-to-market plan with a realistic milestone tracker. Explore our strategy services here.
Our approach: evidence, ethics, practicality
- Evidence-driven: Our recommendations are always tied directly to the official standards (DTAC, DCB0129/0160) and the real-world expectations of NHS buyers.
- Informed by iatroX: Our advice is pragmatic, not just theoretical. Our insights are informed by the data and feedback from our own engaged clinician community, helping you make decisions that reflect the reality of clinical workflows (all data is aggregated, anonymised, and based on opt-in research).
- Practical: We optimise our services for buyer expectations and the realities of NHS deployment, focusing on building credible assurance files, not just generating paperwork.
Who we work with
We work with innovators at every stage:
- Start-ups and scale-ups building the next generation of clinical software and AI.
- NHS Trusts and ICBs who are deploying new digital tools and need to build a robust local safety case.
- Investors seeking expert clinical risk and NHS adoption due diligence.
Getting started
The first step is a no-obligation introductory call to discuss your needs. A typical first engagement is a DTAC and clinical safety gap-analysis, which provides you with a clear, actionable plan to get your product "buyer-ready" within 4–6 weeks. For potential SaMD/AIaMD products, we would also include an MHRA classification and documentation workstream. Book an introductory call on our insights page.
FAQs
- What is DTAC and why does it matter?
- The NHS Digital Technology Assessment Criteria (DTAC) is the national baseline used by NHS buyers during procurement. Developers are expected to meet its standards on clinical safety, data protection, cybersecurity, interoperability, and usability to be considered for use in the NHS.
- What’s the difference between DCB0129 and DCB0160?
- DCB0129 is the clinical risk management standard that applies to the manufacturer or developer of a health IT system. DCB0160 is the standard that applies to the adopter organisation (e.g., an NHS Trust) that is deploying the system.
- Is my software a medical device?
- It depends on its intended purpose and functionality. The MHRA’s official guidance on Software as a Medical Device (SaMD) provides flowcharts to help you determine your product's status and your regulatory obligations (e.g., the need for a UKCA mark).
- How do you handle clinician data from iatroX?
- All research and validation studies are strictly opt-in. Any data used to inform our advisory services is fully anonymised and aggregated. We never sell personal data.